Configuring Server Certificates for SSL

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Some of the Web sites on the source server might use Secure Sockets Layer (SSL) to encrypt confidential information exchanged between the Web server and the client. For each SSL-encrypted Web site that you migrated from the source server, you need to ensure that you have a certificate for that Web site installed on the target server. You can either renew the existing certificates on the source server in a format that is compatible with IIS 6.0 or you can request new certificates. After you have installed the server certificates on the target server, you can import the certificates into the certificate store on the target server, and then configure your Web sites to use the appropriate certificates.

Note

Server certificates are installed on the Web server and typically require no additional configuration on the client servers. Server certificates allow the clients to verify the identity of the server. Alternatively, some Web sites and applications might require client certificates. Client certificates are installed on the client servers and allow the server to authenticate the clients. For more information about configuring client certificates, see Certificates_IIS_SP1_Ops.

For each Web site and application that uses SSL, configure the server certificate for SSL by completing the following steps:

  1. Obtain an SSL server certificate that is compatible with IIS 6.0 by doing one of the following:

    • Renew an existing certificate in a format that is compatible with IIS 6.0.

      The format of the SSL server certificate on the source server is in a format that is incompatible with IIS. You can renew an existing certificate with your certification authority in a format that is compatible with IIS 6.0.

      For more information about renewing existing server certificates in a format that is compatible with IIS 6.0, contact your certification authority.

    • Request a new certificate from a certification authority in a format that is compatible with IIS 6.0.

      You can use the Web Server Certificate Wizard either to generate a certificate request file (Certreq.txt, by default) that you send to a certification authority, or to generate a request for an online certification authority, such as Microsoft Certificate Services in Windows Server 2003. Depending on the level of identification assurance offered by your server certificate, you can expect to wait several days to several months for the certification authority to approve your request and send you a certificate file.

      For more information about requesting a server certificate by using the Web Server Certificate Wizard, see Request a Server Certificate.

  2. Install the SSL server certificate to be used by the Web site on the target server.

    After you obtain an SSL server certificate, you need to install the certificate on the target server. Install the SSL server certificate on the target server by using the Certificate MMC snap-in.

    For more information about installing the SSL server certificate on the Web server, see Install a Server Certificate.

  3. Assign the SSL server certificate to the Web site.

    For more information about assigning the SSL server certificate to the Web site, see Assign a Server Certificate to a Web Site.